RE: Audit Policy

From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
Date: Tue, 06 Jun 2006 02:39:05 GMT

Hi George,

Based on my knowledge, If you define this policy setting, you can specify
whether to audit successes, audit failures, or not audit the event type at
all. Success audits generate an audit entry when the exercise of a user
right succeeds. Failure audits generate an audit entry when the exercise of
a user right fails.

May including:

Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================

--------------------

Thread-Topic: Audit Policy
thread-index: AcaInmugh+dhCr47TyaEjai9HTFKtQ==
X-WBNR-Posting-Host: 209.244.152.162
From: =?Utf-8?B?R2VvcmdlIFNjaG5laWRlcg==?=

<georgedschneider@xxxxxxxxxxxxxx>

Subject: Audit Policy
Date: Mon, 5 Jun 2006 05:49:01 -0700
Lines: 10
Message-ID: <BC583F47-3072-4C4E-B35F-B2B2E3EF6299@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.win2000.security
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:41379
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.win2000.security

I was taking a look at my event logs and noticed that the security log
contains tons of 576 and 578 events for Priviledge Use. In our group

policy

I have it set to overwrite events a sneeded which prsents a problem with

some

many events being logged. The maxium log size is set to 1024 kb. Events
overwritwe each other before the end of a day. What is Priviledge Use?

thought is that I should change our Audit policy to audit only failures.

went into Group Policy and changed the audit settings for Audit object

access

to falure instead of success, failure. I thought this would fix the
problem. What audit policy setting will determine success, failure audit

for

priveldge use.

Prev by Date: Re: krbtgt Account
Next by Date: Re: krbtgt Account
Previous by thread: Re: Audit Policy
Next by thread: Re: Security update failures
Index(es):
- Date
- Thread

Relevant Pages

Re: How to determine who changed permissions on a directory?
... Audit Account Logon events - Success, Failure ... Computer: SERVER1 ...
(microsoft.public.security)
Re: How to determine who changed permissions on a directory?
... if your resources are ACL's only with resource groups ... Audit Account Logon events - Success, Failure ...
(microsoft.public.security)
RE: 1,800 files missing from system32
... Audit account logon events:: Success, Failure ... Audit directory service access:: Failure ...
(Incidents)
Re: Local Security Policy problem - Need Help
... > Local Security Policy. ... > Audit Policy, and then click the events that you want to audit. ... Audit account logon events (Success, Failure) ...
(microsoft.public.windowsxp.security_admin)
Re: 1,800 files missing from system32
... Audit account logon events:: Success, Failure ... Audit directory service access:: Failure ...
(Incidents)